Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to alert if a syslog device does not send data in a rolling 24-hour period?

matthew_foos
Path Finder
‎09-13-2017 12:35 PM

Splunkers,

To meet a regulatory requirement, I need to alert on if a syslog device does NOT send data to the Indexers in a 24 hour period.

For example:
If host splunk1 does send data, no alert needs to be generated.
If host splunk2 does NOT send data, and alert must be generated.
This alert needs to have a hostname.

We are leveraging Nexpose to send a synthetic transaction to devices such as Cisco ACS switches.
Search example:
index=network message_text="Login failed for user SynTran01 - sshd" | stats count by host
This search string returns a count of 16 and it will always be 16 for this specific devices type.

Any advice would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2017 02:06 PM

Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts > 0.

| metadata type=hosts index=* | eval diff=now()-recentTime | where diff > 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-13-2017 03:18 PM

HI matthew.foos,
you should create a lookup with all the hosts you have to monitor in your perimeter (e.g. a lookup called perimeter.csv with one field called host), and the schedule an alert like this

| metasearch index=* 
| eval host=upper(host)
| stats count by host
| append [ | inputlookup perimeter.csv | eval count=0, host=upper(host) | fields host count ]
| stats sum(count) AS Total by host
| where Total=0

You should check what is the minimum time period for monitoring because 24 hours probably is a too large period.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-13-2017 02:06 PM

Start with this query. Save it as an alert running at the desired interval and triggered when the number of hosts > 0.

| metadata type=hosts index=* | eval diff=now()-recentTime | where diff > 86400 | fieldformat recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S") | table host recentTime
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sureshkumaar
Path Finder
‎10-01-2019 04:34 AM

Hi Richgalloway,

      Can i know what does this "where diff > 86400" trying to say in the query?
0 Karma
Reply
Solved! Jump to solution

decoherence
Explorer
‎10-22-2019 06:40 AM

The 'diff' variable (now()-recentTime) is greater than 86400 seconds (24 hours, as requested in the question.)

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
Top